AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on MikroTik RouterOS 7 Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: linux-administration

Automate MikroTik RouterOS 7 with Ansible: community.routeros collection, REST API, firewall, OSPF/BGP, WireGuard, CAPsMAN, configuration backup.

MikroTik RouterOS 7 is the modern release line for MikroTik routers and switches. It introduces a Linux-based kernel, WireGuard, IPv6-first BGP/OSPF, container support, and the REST API alongside the classic API. Ansible's community.routeros collection drives full automation: firewall rules, addresses, OSPF/BGP, WireGuard peers, CAPsMAN access points, and configuration backup.

RouterOS 7 release facts

| Item | Value | |---|---| | Major | 7.x (current 7.18) | | Programmability | API (8728/8729), REST API (HTTPS), Winbox, SSH | | New features | WireGuard, container, ROSE-STORAGE, IPv6 enhancements | | Default firewall | RouterOS firewall (filter, raw, mangle, NAT) |

See also: community.routeros 3.18.0 — New Feature for API Modify Module

Ansible-core compatibility

Use ansible-core 2.18 LTS with community.routeros >= 3.0.

Inventory

[mikrotik]
hap-ax3 ansible_host=192.168.88.1
ccr2004 ansible_host=10.0.0.1

[mikrotik:vars]
ansible_connection=community.routeros.api
ansible_user=admin
ansible_password='{{ vault_mikrotik_password }}'
ansible_routeros_api_port=8729
ansible_routeros_api_tls=true

See also: Automate Mikrotik RouterOS Config Backups with Ansible

Backup configuration

- name: Backup RouterOS configs
  hosts: mikrotik
  gather_facts: false
  tasks:
    - name: Export full config
      community.routeros.command:
        commands:
          - /export

- name: Fetch /export to control node
      community.routeros.command:
        commands:
          - "/system backup save name={{ inventory_hostname }}-{{ ansible_date_time.iso8601_basic_short }}"

Firewall rules

- name: Configure firewall on RouterOS
  hosts: mikrotik
  gather_facts: false
  tasks:
    - name: Allow established+related on input
      community.routeros.api_modify:
        path: "/ip firewall filter"
        data:
          - chain: input
            action: accept
            connection-state: "established,related"

- name: Allow ICMP
      community.routeros.api_modify:
        path: "/ip firewall filter"
        data:
          - chain: input
            action: accept
            protocol: icmp


- name: Drop everything else on input
      community.routeros.api_modify:
        path: "/ip firewall filter"
        data:
          - chain: input
            action: drop
            comment: "default drop"

See also: Ansible AWS: Complete Guide to Cloud Automation (2026)

WireGuard peer

- name: Configure WireGuard
  hosts: mikrotik
  gather_facts: false
  tasks:
    - name: Create wg0 interface
      community.routeros.api_modify:
        path: "/interface/wireguard"
        data:
          - name: wg0
            listen-port: 51820
            private-key: "{{ vault_wg_private_key }}"

- name: Add peer
      community.routeros.api_modify:
        path: "/interface/wireguard/peers"
        data:
          - interface: wg0
            public-key: "{{ peer_public_key }}"
            allowed-address: 10.99.0.2/32
            endpoint-address: peer.example.com
            endpoint-port: 51820
            persistent-keepalive: 25s

OSPFv3

- name: OSPFv3 instance
  hosts: mikrotik
  gather_facts: false
  tasks:
    - name: Instance
      community.routeros.api_modify:
        path: "/routing/ospf/instance"
        data:
          - name: default
            router-id: "{{ rid }}"
            version: 3

- name: Area
      community.routeros.api_modify:
        path: "/routing/ospf/area"
        data:
          - name: backbone
            area-id: 0.0.0.0
            instance: default

CAPsMAN access points

- name: Push CAPsMAN baseline
  hosts: mikrotik_controller
  gather_facts: false
  tasks:
    - name: Configuration profile
      community.routeros.api_modify:
        path: "/caps-man/configuration"
        data:
          - name: corp-wifi
            ssid: CorpWiFi
            datapath: corp-dp
            security: corp-sec

Best practices

• Use the API/REST API transport over SSH for structured, idempotent changes. • Keep community.routeros.api_modify calls scoped by find_filter to avoid duplicating rules. • Backup before every change; RouterOS does not have transactional commits. • Pin RouterOS firmware version with the community.routeros.system_routerboard upgrade flow.

Conclusion

RouterOS 7 + community.routeros brings MikroTik fleets into the Ansible-driven NetOps world. Use the API transport, idempotent api_modify, and rigorous backup discipline to manage large MikroTik deployments declaratively.

Category: linux-administration

Browse all Ansible tutorials · AnsiblePilot Home